[+] Exploit Title: Seditio CMS Multiple Vulnerabilities
[+] Google Dork: intext:"Powered by Seditio CMS"
[+] Date: 27/7/2015
[+] Exploit Author: Arash Khazaei
[+] Vendor Homepage: http://www.seditiocms.com/
[+] Software Link: http://www.seditiocms.com/page.php?id=20&a=dl
[+] Version: 1.7.1(Last Version)
[+] Tested on: Kali , Windows
[+] CVE : N/A
===============================
Introduction :
1- a vulnerability in seditio cms reveal Admin Password For Attacker.
2- another Vulnerability in This CMS Is After Admin Logged Out Session Will
Be Not Expired .
===============================
Reaval Admin Password :
POC 1:
in seditio CMS If We Login With Remember Feature CMS Make COokies Like This
:
MTpfOjU4YjU0NDRjZjFiNjI1M2E0MzE3ZmUxMmRhZmY0MTFhNzhiZGEwYTk1Mjc5YjFkNTc2OGViZjVjYTYwODI5ZTc4ZGE5NDRlOGE5MTYwYTBiNmQ0MjhjYjIxM2U4MTM1MjVhNzI2NTBkYWM2N2I4ODg3OTM5NGZmNjI0ZGE0ODJmOl86c3BlY2lhbA==
if we decode This base64 Encoded Text We Got This :
1:_:58b5444cf1b6253a4317fe12daff411a78bda0a95279b1d5768ebf5ca60829e78da944e8a9160a0b6d428cb213e813525a72650dac67b88879394ff624da482f:_:special
If Look Between 1:_: We Have hashed Password Of Admin In This case Hashed
Password Is admin1 .
do If Admin Cookie Stealed site Admin Password Can Be Stealed By Attacker
If Password Not Strong To Much.
==================================================
POC 2:
if admin cookie stealed by reason Anything If We Set Base64 Of Admin
Password Like this :
MTpfOjU4YjU0NDRjZjFiNjI1M2E0MzE3ZmUxMmRhZmY0MTFhNzhiZGEwYTk1Mjc5YjFkNTc2OGViZjVjYTYwODI5ZTc4ZGE5NDRlOGE5MTYwYTBiNmQ0MjhjYjIxM2U4MTM1MjVhNzI2NTBkYWM2N2I4ODg3OTM5NGZmNjI0ZGE0ODJmOl86c3BlY2lhbA==
and set it on your self cookie you logged in as admin in site .
Session Of Admin After Logged Out Never Will Be Expired .
Discovered By : Arash Khazaei .